On Tue, 27 Jan 1998, Chris Jacobson wrote:
> Attention ANYONE WHO USES ASCII PFILES!
>
> A major back door has just been found. It was exploited on my MUD, I
> finally discovered how it was done.
>
> Using this bug a player can take control of the MUD totally, wipe the imm
> char and replace it with their own version.
Player idnum can't be hacked, because it comes after the description and
is always present. Level could be hacked by a lavel 0 player, but you
could fix that easily enough be making level always save.
A lot of simple solutions have been mentioned. I think I fixed this in my
copy long ago and forgot about it, because it works ok for me.
Personally, I'd just hack string_add to make ~ a terminator along with @.
Then you get the added benefit of protection against clever builders who
put ~'s in mob/obj/room descriptions to break world files and keep the mud
from booting.
Sam
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/15/00 PST